Back

Include third party controls in the audit assertion's in scope system description.


CONTROL ID
14880
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an in scope system description., CC ID: 14873

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • When using the carve-out method, the description would identify the types of CSOCs that the subservice organization is assumed to have implemented. Examples of the types of CSOCs the subservice organization is assumed to have implemented include the following: (¶ 2.18, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In evaluating the appropriateness of the subject matter when determining whether to accept or continue a SOC 2® examination, relevant matters to consider may include the functions performed by the system, how subservice organizations are used, how information about subservice organizations will be … (¶ 2.46, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If there are CUECs, description criterion DC6 requires that fact to be disclosed in the description of the service organization's system. In addition, because the service auditor does not examine the controls implemented at user entities, disclosure of that information in the service auditor's repor… (¶ 4.37, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the service organization obtains the subservice organization's type 1 or type 2 report that identifies the need for CUECs, during planning, service organization management considers how to address that information in its description. For example, a service organization that outsources aspects of … (¶ 3.90, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Use of the inclusive method becomes more complex when the service organization uses multiple subservice organizations. When the services of more than one subservice organization are likely to be relevant to report users, service organization management may use the inclusive method for one or more su… (¶ 2.97, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • As discussed earlier, a vendor is considered a subservice organization when controls performed by the subservice organization are necessary, in combination with the service organization's controls, to provide reasonable assurance that the service organization's service commitments and system require… (¶ 2.20, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • the types of controls expected to be performed at the subservice organization that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization's service commitments and system requirements were achieved; and (¶ 2.14 Bullet 1 Sub-Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In addition to the controls that the service organization expects the subservice organization to implement (CSOCs), there may be activities that a subservice organization expects the service organization, as a user entity, to perform for the subservice organization's controls to be effective. When a… (¶ 2.29, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Although there is no prescribed format for presenting CUECs in the system description, they are typically included at the end of the system description or at the end of the section that includes the service auditor's description of tests of controls and results and are related to specific trust serv… (¶ 2.28, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • the components of the subservice organization's system used to provide services to the service organization, including the subservice organization's controls that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization's … (¶ 2.14 Bullet 2 ¶ 1 Sub-Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The inclusive method is frequently difficult to implement and may not be feasible in certain circumstances. The approach entails extensive planning and communication between the service auditor, the service organization, and the subservice organization. Use of the inclusive method becomes more compl… (¶ 2.101, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The types of controls that service organization management assumed, in the design of the service organization's system, would be implemented by the subservice organization and that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the servi… (¶ 3.64 ¶ 1 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As discussed in chapter 2, CUECs are controls that are necessary, in combination with the service organization's controls, to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria. When t… (¶ 3.53, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If service organization management has referred to the communications of user entity responsibilities that relate only to specific users, the service auditor would need to consider whether other intended users of the SOC 2 report are likely to misunderstand the description. If the service auditor be… (¶ 3.57, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The controls at the subservice organization that are necessary, in combination with the service organization's controls, to provide reasonable assurance that the service organization's service commitments and system requirements are achieved based on the applicable trust services criteria (¶ 3.60 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The description of controls at the subservice organization may also include aspects of the subservice organization's control environment, risk assessment process, information and communications, and monitoring activities to the extent that they are relevant to controls at the service organization. T… (¶ 3.61, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Relevant aspects of the subservice organization's infrastructure, software, people, procedures, and data (¶ 3.60 Bullet 3, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Identify the types of controls that service organization management assumes would be implemented by the subservice organization and that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization's service commitments and sy… (¶ 3.63 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As discussed in chapter 2, when using the carve-out method, the achievement of one or more of the service organization's service commitments or system requirements is dependent on one or more controls at the subservice organization. Such controls are called complementary subservice organization cont… (¶ 3.69 ¶ 1, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When using the carve-out method, description criterion DC7 requires service organization management to include in the description certain disclosures about the use of a subservice organization, including the services provided by the subservice organization and the types of CSOCs it is expected to pe… (¶ 4.42, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If there are CUECs, description criterion DC6 requires that fact be disclosed in the description of the service organization's system. Because the service auditor does not examine the controls implemented at user entities, disclosure of that information in the service auditor's report is necessary t… (¶ 4.39, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)